https://www.secdev.uk/blog/tags/concurrency/ Recent content in Concurrency on guy@secdev.uk Hugo en-gb Guy Dixon | guy@secdev.uk Sat, 16 Aug 2025 00:00:00 +0000 https://www.secdev.uk/blog/technology/2025-08-16-race-conditions/ Sat, 16 Aug 2025 00:00:00 +0000 https://www.secdev.uk/blog/technology/2025-08-16-race-conditions/ <p>Race conditions (CWE-362) are, in my opinion, the most insidious class of security bugs you&rsquo;ll encounter. They occur when the behaviour of a program depends on the relative timing of concurrent operations, and at least one of those operations modifies shared state. The window between a check and a subsequent use of the checked value, the classic time-of-check to time-of-use (TOCTOU) pattern, is the most exploited form, but races also show up in counter increments, balance updates, session management, and file operations. What makes race conditions uniquely dangerous is their non-determinism: the bug may not manifest in thousands of test runs, then appear under production load when two requests arrive within microseconds of each other. I want to walk through race conditions in Python, Go, Java, and Rust, from the obvious unprotected counter to the subtle channel-based ordering assumption that passes every test but fails under contention.</p>